Messages

1

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 26, 2024, 09:10:33 pm »

Sorry I have no experience with tailscale. Maybe somebody else can help here.

Thanks anyway
I do hope someone can help me figure this out. I moved from pfsense recently and was able to get everything working fine except for this.

2

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 26, 2024, 07:45:58 pm »

Well you say it does not work, but this is a complex issue.

You have to do some troubleshooting with tcpdump and follow the flow of the packets from source to target and back. Then you can pinpoint where it takes the wrong route, or gets lost.

When you know the exact spot, you can tweak the configuration in order to make it work.

-----

Regarding the port forward and the floating rule, look at this paket flow diagram:

https://forum.opnsense.org/index.php?topic=36326

The NAT rule matches first (Thats your port forwarding)
Afterwards you need a firewall rule to allow that traffic. You can do that with either a floating rule that has multiple interfaces selected (the same as in the port forwarding rule), or you create seperate rules manually on each interface that allow that traffic.

the all show basically the same execpt that nat reflection is on all packets show tcp 0 in the end

This is nat reflection on
IPv4, length 74: 10.50.3.1.61906 > 10.50.3.243.22: tcp 0
IPv4, length 74: 10.50.3.243.22 > 10.50.3.1.64608: tcp 0

This is nat reflection off

IPv4, length 66: 10.50.3.243.22 > 10.50.3.1.59791: tcp 0
IPv4, length 1274: 10.50.3.1.59791 > 10.50.3.243.22: tcp 1208

This is the only difference.

the taiscale interface shows nothing with tcpdump and the origin on both situations shows the ip from my firewall because i assume thats how tailscale works? all traffic is seen as comming from the FW it self and not the other side of the tialscale tunnel?

Thanks.

3

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 26, 2024, 05:23:57 pm »

Sounds quite incredible that no one here, apart from pointing me to the obvious documentation , doesn’t have any thoughts of what might be wrong with my issue.
Note that in pfsense I had the exact config and it all works fine. I know tailscale is not officially supported by opnsense but there’s not reason for a port forwarding rule with nat reflection on to kill acesss to that machine from it.
Anyway…

P.S why does a port forward rule needs a separate floating rule anyway ? I really don’t understan

4

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 24, 2024, 09:25:16 pm »

So I did a few more tests and it seems to be an issue with tailscale alone.

If I turn on nat reflection on port forwarding rules I can no long access  anything on that host ip except for ping from the tailscale clients / machines except for ping. No ssh noting…all the other hosts on my lan and vlans that don’t have a a port forwarding rule , it works fine.

5

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 24, 2024, 04:30:52 pm »

Maybe this tutorial can help you to build the proper NAT from the ground up.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

I've read that countless times. Doesn't work! I think the issue is something do with tailscale no clue what could be

6

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 24, 2024, 09:28:02 am »

I wish someone could help with this.

It’s driving me nuts.

7

General Discussion / Re: Port Fowarding NAT Translation Configuration

« on: June 23, 2024, 10:31:52 pm »

Ok.
So I partially solved the issue by selecting my internal network interfaces as well as tailscale and WireGuard in the port forwarding rules and not only wan ( this is very different from pfsense hahaha )

But I still have a problem with one port forward rule I have for ssh with a custom port on the wan for a bit of obfuscation. Basically wan port  xxxxx to internal ip port 22. With nat reflection enable I can ssh into that machine fine from all my internal networks / vlans but not from WireGuard devices or tailscale. For example I have a vps I connect to my pfsense via tailscale and I can ssh into all my lan IPs except for the one with this rule.
If I edit the rule and select nat reflection - disable. It works fine. ( i would like to keep nat reflection on because I have a FQDN accessing that machine and would like to solve this without host override.  It also works fine if I disable the rule

I’m clueless at this point.

8

General Discussion / Port Fowarding NAT Translation Configuration

« on: June 21, 2024, 01:54:45 pm »

Hi.
I was playing with opnsense a bit last night. For the most part I managed to replicate what I had on the other sense. Except for issues with port forwarding and NAT reflection.
When I configure port forwarding I can't access either FQDN I'm forwarding (externally) or the machines internal IP addresses from my networks (rules are properly configured )

If I configure host override it works but IP address doesnt. Which is a problem because I have a tailscale tunnel configured to a remote VPS from which I need access my local IP addresses

If I disable NAT reflection on the portforwarding  rules  I can access the internal IP addresses from my internal networks and the remote tailscale VPS but not from external FQDN from within my network. I need as before to override hosts

External connections work fine with both configs

Is there any way to properly configure this? I mean... The second option works ok but adding host overrides is a bit annoying

I tried to read documentation but I found it a bit confusing tbh

Thank you

9

24.7 Production Series / Re: Development versions: Alpha, Beta and Release Candidate expla

« on: June 20, 2024, 11:25:42 pm »

Haha. Thanks for disclaimer.  and the clarifications

I didn’t mean to Insult  your product or anything but my experience with opnsense hadn’t been the best, although I admit probably because I didn’t dedicate as much time to it as I should. ( I’m just a musician of trade and a home laber of passion)
At the time the video you mention made sense to me … but certainly not anymore specially after Mr gonzopancho (lol ) replies and specifically his interactions with me.  ( as of the time of me writing this post  I’m apparently blocked from replying at the subreddit

Keep up the good work. I’ve deleted all my pfsense backups and VMs and restored an old openwrt config until I have time to dig into opnsense in July hopefully when 24.7 is released !    Morally i can’t continue to use pfsense anymore after this.  Free or not.

10

24.7 Production Series / Re: Development versions: Alpha, Beta and Release Candidate explained

« on: June 20, 2024, 07:53:56 pm »

Honest question.
Why did you choose FreeBSD 14.1 and not 15?
It seems that pfsense is using version 15 now on their latest plus version and will on their next CE too, wouldn't it make more sense for Opensense to go for verson 15 too, since netgate still contribues with quite a bit of code to mainstrean Freebsd, avvoiding the need of backports.
I'm  probably beeing a complete ignorant on this, but it just makes sense in my head.

11

24.1 Legacy Series / Re: strange behavior after update to Version 24.1.2

« on: March 26, 2024, 11:25:21 am »

Try using bind.

I’ve never used unbound on opnsense because it’s always seems broken somehow.  Still testing it but it looks way more promising

12

24.1 Legacy Series / Gateway monitoring WireGuard not working properly.

« on: March 24, 2024, 11:35:21 pm »

Hi.
Since I’ve upgraded to latest version of opnsense 24.1.4 gateway monitoring for wirguard stopped working after reboot. If I disable and enable WireGuard it works again just not after a reboot. I think I was on 21.1_13 before!
I didn’t change anything in my config and everything was working ok

Any ideas why this might be happening? Routes and everything else work fine

EDIT:

Solved my own issue.
It looks like it was some static routes i had defined for the Wireguard addresses . I must have set up this a long time ago and didnt realize they were not required anymore.

13

23.1 Legacy Series / Re: Can’t get ipv6 from my provider.

« on: April 17, 2023, 03:34:35 pm »

I'm not.

I'm on a Portuguese provider. Apparently my ISP takes forever to renew IPv6 leases.
I ended solving the problem by copying the duid file from pfsense  in /var/db to opnsense and it solved my issue

14

23.1 Legacy Series / Re: Can’t get ipv6 from my provider.

« on: April 15, 2023, 06:09:53 pm »

Hi.

Thanks for you reply.
I’ve came across that article before ( believe me I’ve google a lot heheh). No go! The only thing I didn’t try was that IMCP rule on wan but afaik it’s not required to get prefix delegations.

15

23.1 Legacy Series / Can’t get ipv6 from my provider.

« on: April 15, 2023, 03:59:14 pm »

Hello.
I’m currently trying to migrate my pfsense config to opnsense. Is there anything wrong with ipv6 on opnsense right now ? Because I can’t for the life of me to get this to work.
I tried to replicate as much as I can what I have on pfsense but no dice! I have my opnsense box connected to an SFP onu so I get public IPs on my pfsense/opnsense installs via ISP vlan no intermediate isp routers.

I get IPV6 via dhcpv6
My wan setting on pfsense are :

Request only an IPv6 prefix Only request an IPv6 prefix… ( checked )

DHCPv6 Prefix Delegation size : 56

Send IPv6 prefix hint Send an IPv6 prefix hint ( not checked )
Do not wait for a RA Required by some ISPs, especially those not using PPPoE ( checked )

Setting on lan internet face
Ipv6 interface : Tack interface
IPv6 Prefix ID: 0

Router Advirtisements : unmanaged. 
Rest is default. ( I also tried managed and assisted on opnsense makes no different.

I replicated the same exact setting on opnsense with a no go except for the “Do not wait for RA” since it doesn’t exist and from what I could read Opnsense now uses some sort of hybrid system for these situations. Note : isp requires this or I won’t get ipv6 on pfsense either.

Would be great if anyone had any clue of what’s going on.
Thanks